Cybersecurity Architecture and Engineering Flashcards
What are two ways to measure risk?
Quantitative and Qualitative
Which risk response is also included when risk mitigation is performed?
Acceptance
This describes the probability of a threat being realized.
Likelihood
This describes the amount of loss during a one-year timespan.
Annualized Loss Expectancy (ALE)
This phase of the risk management life cycle identifies effective means by which identified risks can be reduced.
Control
A _________________ should include detailed descriptions of the necessary steps required to successfully complete a task.
Process
This function of the NIST CSF defines capabilities needed for the timely discovery of security incidents.
Detect
A formal mechanism designed to measure performance of a program against desired goals.
Key Performance Indicator (KPI)
Which cloud service type represents the lowest amount of responsibility for the customer?
SaaS
This describes when a customer is completely dependent on a vendor for products or services.
Vendor lock-in
This describes when a copy of vendor-developed source code is provided to a trusted third party, in case of disaster.
Source code escrow
This describes all of the suppliers, vendors, and partners needed to deliver a final product.
The Supply Chain
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain.
CMMC
True or False. The use of cloud service providers always reduces risk.
False
Which type of data can be used to identify an individual and includes information about past, present, or future health?
Protected Health Information (PHI)
Which type of data describes intangible products of human thought and ingenuity?
Intellectual Property (IP)
Which data destruction method is focused on the sanitization of the key used to perform decryption of data?
Crypto erase
Which concept identifies that the laws governing the country in which data is stored have control over the data?
Data sovereignty
A non-regulatory agency in the United States that establishes standards and best-practices across the entire science and technology field is known as:
NIST
What regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on subjects located there?
GDPR
Which U.S. federal law is designed to protect the privacy of children?
COPPA
Which process is designed to provide assurance that information systems are compliant with federal standards?
Assessment and Authorization
This describes the identification of applicable laws depending on the location of the organization, data, or customer/subject.
Jurisdiction
What concept is often linked to the “prudent man rule”?
Due care
This describes when an organization’s legal team receives notification instructing them to preserve electronically stored information.
Legal hold
What type of agreement is often described as an “umbrella” contract that establishes the agreement between two entities to conduct business?
Master Services Agreement (MSA)
Which agreement governs services that are both measurable and repeatable and also generally include enforcement mechanisms that result in financial penalties for non-compliance?
Service Level Agreement (SLA)
What is the last step in a business continuity plan?
Maintenance
NIST defines this as “An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.”
Business Impact Analysis
This generally defines the amount of data that can be lost without irreparable harm to the operation of the business.
Recovery Point Objective
Which type of assessment seeks to identify specific types of sensitive data so that its use and handling can be properly disclosed?
Privacy Impact Assessment
Using other branch locations to manage a disaster response is referred to as:
Alternate Operating Facilities
Which type of DR site has lowest operating expense and complexity?
Cold Site
This type of site is one that can be activated and used within minutes.
Hot Site
This term describes when cloud service offerings are used for DR capabilities.
DRaaS, DR as a Service
True or False. Incident response should only involve the information technology department.
False
True or False. BCDR is a technical capability and so senior leadership involvement is not required.
False
True or False. BCDR plans should not be tested as doing so may break production systems.
False
Which type of simulation test includes a meeting to review the plans and analyze their effectiveness against various BCDR scenarios?
Walk-through
Which type of simulation test is used to determine whether all parties involved in the response know what to do and how to work together to complete the exercise?
Tabletop Exercise
When performing this type of test, issues and/or mistakes could cause a true DR situation:
Full Interruption
What are the two main components of a VPN?
Creating a tunnel and protecting data via encryption
Identify some ways a VPN might help an adversary avoid detection.
Answers will vary but should include a description of hiding data/activities and geographic location.
Describe a solution designed to validate the health of an endpoint prior to allowing access.
Network Access Control (NAC)
This is a passive technology used to provide visibility into network traffic within a switch.
Test Access Port or TAP
What version of SNMP should be used whenever possible?
Version 3
Which type of environment is characterized by having hosts and networks available for use by visitors, such as the public or vendors?
Guest
This describes a specially configured, highly hardened, and closely monitored system used to perform administrative tasks.
Jump Box
This type of network segmentation differs from a traditional network segmentation approach as it provides much higher levels of security, granularity, and flexibility.
Microsegmentation
What type of architecture adopts the approach of “never trust, always verify”?
Zero Trust Architecture
This implementation creates a software-defined network by utilizing existing physical network equipment.
SDN Overlay
This describes improving performance by adding additional resources to an individual system, such as adding processors, memory, and storage to an existing server.
Scaling vertically
A ______________________________________ leverages the global footprint of cloud platforms by distributing and replicating the components of a service to improve performance to all the key service areas needing access to the content.
Content Delivery Network (CDN)
What design strategy often conflicts with information technology management approaches that look to consolidate platforms and reduce product portfolios?
Heterogeneity/Diversity
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application Virtualization
This non-profit organization provides guidance and best practices on the development and protection of web applications.
OWASP
What are some of the functions that can be performed via a Container API?
Some examples include list logs generated by an instance; issue commands to the running container; create, update, and delete containers; and list capabilities.
What environment is used to merge code from multiple developers to a single master copy and subject it to unit and functional tests?
Test or Integration Environment
Which type of application testing is frequently performed using scanning tools such as OWASP’s Zed Attack Proxy (ZAP)?
Dynamic Application Security Testing (DAST)
This describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise.
Enterprise Service Bus (ESB)
True or False. Traditional software development models incorporate security requirements throughout all phases.
False
Which type of software testing ensures that a particular block of code performs the exact action intended and provides the exact output expected?
Unit Testing
Which type of testing verifies that individual components of a system are tested together to ensure that they interact as expected?
Integration Testing
What development model includes phases that cascade with each phase starting only when all tasks identified in the previous phase are complete?
Waterfall
What development model incorporates Security as Code (SaC) and Infrastructure as Code (IaC)?
SecDevOps
Storing passwords using this method should be disabled as it provides marginal improvements in protection compared to simply storing passwords in plaintext.
Reversible Encryption
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
Which access control model is a modern, fine-grained type of access control that uses a type of markup language call XACML?
Attribute-Based Access Control (ABAC)
What authentication protocol is comparable to RADIUS and associated with Cisco devices?
TACACS+
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server’s local timestamps?
Time-Based One Time Password (TOTP)
In which stage of the data life cycle is data shared using various mechanisms, such as email, network folders, websites, or cloud storage?
Use
Describe some of the critical elements included in data management.
Answers will vary but should include descriptions of data inventory, data mapping, backups, quality assurance, and integrity controls.
Identify some practical DLP example use-cases.
Blocking use of external media, print blocking, Remote Desktop Protocol (RDP) blocking, clipboard privacy controls, restricted virtual desktop infrastructure (VDI) implementation, data classification blocking.
What is the name of the data obfuscation method that replaces sensitive data with an irreversible value?
Tokenization
What data obfuscation method is designed to protect personally identifiable information so that data can be shared?
Anonymization
Which type of virtualization platform supports microservices and server-less architecture?
Containerization
_____________________________ is assigned to cloud resources through the use of tags and is frequently exploited to expose configuration parameters which may reveal misconfigured settings.
Metadata
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs and provide the highest level of flexibility?
Multi-tenant
After powering-up a virtual machine after performing maintenance, the virtual machine is no longer accessible by applications previously configured to connect to it. What is a possible cause of this issue?
The IP address was reassigned to another instance.
Which type of storage model supports large amounts of unstructured data and is commonly used to store archives and backup sets?
Blob Storage
Which technology uses a ledger distributed across a peer-to-peer (P2P) network?
Blockchain
___________________ reality emulates a real-life environment through computer-generated sights and sounds.
Augmented/Virtual
This term describes computer-generated images or video of a person that appear to be real but are instead completely synthetic and artificially generated.
Deep Fake
______________ computers use information represented by spin properties, momentum, or even location of matter as opposed to the bits of a traditional computer.
Quantum
Which technology allows the crafting of components on-demand, and potentially eliminates the need to share designs or plans that may lead to intellectual property theft?
3D printing
Identify two types of certificates commonly used to implement access controls for mobile devices.
Trust (device) and user certificates
Which standard is associated with the Simultaneous Authentication of Equals (SAE)?
WPA3 (Wi-Fi 6)
Which type of device attack allows complete control of a device without the target device being paired with the attacker?
BlueBorne
Identify some reasons why DoH poses a security threat in an enterprise setting.
Answers may vary. DoH, if approved, must be configured to use a trusted provider. DoH encapsulates DNS traffic within https traffic making it harder to identify. DoH can bypass external DNS query restrictions configured on firewalls.
Identify how Bluetooth can be used for physical reconnaissance.
Answers may vary. Bluetooth devices are discoverable using freely available tools, meaning an attacker can locate out-of-sight devices and also collect information about the hardware and vendor.
Identify some reasons why EOL software and hardware are concerning.
Responses will vary but should include a description regarding the lack of vendor support and vendor-supplied security patches.
True or False. Operating System instances running in the cloud are patched automatically by the cloud provider.
Flase
Which types of attacks on the Android OS can bypass the protections of mandatory access control?
Inter-app communication attacks
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Answers may vary but secure boot, measured boot, or attestation services all apply.
Which type of host protection should provide capabilities that directly align to the NIST Cybersecurity Framework Core?
Endpoint Protection and Response
True or False. Operating in a public cloud removes the need for BCDR plans due to the fact that cloud platforms are so reliable.
False
What name is given to the practice of splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations?
Bit Splitting or Cryptographic Splitting
Which cloud computing practice eliminates the use of traditional virtual machines to deliver cloud services?
Serverless Computing
What is a critical component dictating the implementation of logging capabilities in the cloud?
Legal and regulatory compliance
What is the primary source of data breach in the cloud?
Misconfiguration
Which component integrates practically all the components of a traditional chipset including GPU?
System on a Chip, or SoC
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder language?
Programmable Logic Controller, or PLC
Which type of availability attack are industrial computers most sensitive to?
Denial of Service, or DoS
An ________ ________ describes the method by which ICS are isolated from other networked systems.
Air Gap
What makes attacks against ICS uniquely concerning?
Answers will vary, but essentially because ICS control systems that interact with the real world and can cause humanitarian and/or environmental disasters when breached or attacked.
What is the name of the algorithm used by SHA-3?
Kekkack
Which MAC method is commonly paired with Salsa20 on hardware that does not have integrated AES support?
Poly1305
Describe the key distribution problem.
Answers will vary. Should identify that it is associated with symmetric encryption and that sharing the key between two parties can be risky if not performed carefully.
Is Salsa20 a stream or block cipher?
Stream
How are modes of operation related to symmetric encryption?
Answers will vary. Modes of operation are like “techniques” used to make symmetric block ciphers operate in a way that is comparable to stream ciphers.
What symmetric encryption problem is asymmetric encryption uniquely equipped to solve?
Key distribution
What is the bulk encryption method used in the following cipher suite? ECDHE-RSA-AES128-GCMSHA256
AES
What encryption scheme is generally associated with protecting email?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
What issue related to the use of authentication header (AH) makes it difficult/problematic to implement?
It does not work across NAT gateways.
Which implementation of Elliptic Curve Cryptography (ECC) is no longer recommended for use by the NSA?
P256
True or False. Private keys are contained within digital certificates.
False. Public keys are contained within digital certificates.
Which of the following would be best suited to protecting data stored on a removable disk: IPSec, TLS or AES?
AES is a symmetric block cipher and best suited to this. IPSec and TLS are associated with transport encryption.
Which device used to provide strong authentication stores a user’s digital certificate, private key associated with the certificate, and a personal identification number (PIN)?
Smart card
How do device certificates help security operations?
Answers will vary. A description of using device certificates to identify authorized endpoints is appropriate.
What is the purpose of a bridge CA?
Answers will vary. A bridge CA allows the interoperability and shared trust between multiple, otherwise independent, PKIs. Bridge CAs enable cross-certification.
_________________ ___________________ is the entity responsible for issuing and guaranteeing certificates.
Certificate Authority
True or False. A website protected with a valid digital certificate is guaranteed to be safe.
False. The digital certificate provides assurance that the site is genuine, but it could still be rogue in nature.
What is another term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
What is the name of the response header configured on a web server to notify a browser to connect to the requested website using HTTPS only?
HTTP Strict Transport Security (HSTS)
The error message “your connection is not private” is displayed when accessing a known website. What is a possible cause of this error?
The website is configured to use a weak signing algorithm.
Which threat assessment approach is described as emulating known TTPs to mimic the actions of a threat in a realistic way, without emulating a specific threat actor?
Threat emulation
Which defensive approach describes a team of specialists working with the viewpoint of “assume breach”?
Threat Hunting
Which threat actor group includes adversaries such as Anonymous, WikiLeaks, or LulzSec?
Hacktivists
Developed by Lockheed Martin, this describes the steps/actions an adversary must complete in order to achieve their goals.
Cyber Kill Chain
True or False. CPE is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.
False. The description is for CVE.CPE uses a syntax similar to Uniform Resource Identifiers (URI), CPE is a standardized naming format used to identify systems and software.
What vulnerability assessment analysis approach requires the evaluation of a system or software while it is running?
Dynamic assessment
What testing method uses specialty software tools designed to identify problems and issues with an application by purposely inputting/injecting malformed data to it?
Fuzzing or fuzz testing
This describes the actions of an attacker using one exploited system to access another within the same organization.
Pivoting
What document describes the manner in which a pentest may be performed?
Rules of Engagement (RoE)
Which category of tool describes the Metasploit tool?
An exploit framework
Honeytoken and canary files are types of _______________ files.
Decoy
Which type of deceptive technology is generally less complicated to deploy than other deceptive technologies but can serve a similar purpose?
Simulator
An ___________________________ system is one that is “unchangeable.”
Immutable
______________________________ describes the set of configuration changes made to improve the security of an endpoint from what the default configuration provides.
Hardening
In Linux, ________________ describe self-contained software applications which include all the necessary components and libraries they need to be able to operate on an immutable system.
Flatpaks
Which type of vulnerability is caused by processes operating under the assumption that a critical parameter or piece of information has not changed?
TOCTOU
When reviewing the operation of a web application, the following is observed: https://www.foo.com/ products/ jsessionid=8858PNRX949WM26378/?item=bigscree n-tv. What is problematic with this?
The session ID is included in the URL, meaning that anyone with access to the jsessionid information could perform an authentication bypass attack for the identified user.
Which approach describes how software can be analyzed for open-source components?
Software Composition Analysis
True or False. JSON is not dependent upon web technologies.
True. JSON is designed to be leveraged by common web technologies.
What type of attack is most closely associated with the use of characters such as ‘ OR ‘x’ = ‘x’ – ?
Authentication Bypass, a type of SQL injection attack.
True or False. By default, switches provide packet capture utilities full visibility into all traffic flows for connected devices.
False. A switch must be configured to mirror traffic or utilize a tap in order to provide full visibility for packet capture. Switches natively isolate traffic.
Two alerts are generated by an IDS, one with a priority value of 1 and the other with a priority value of 10. Which should be investigated first?
The one with a priority value of 1, which represents a more concerning event type.
Which security product is most likely to support the use of YARA rules?
Antivirus
In what ways does the support of security incidents differ from traditional tickets/requests in IT?
Answers will vary. The answer should describe how security incidents must be handled based on severity rather than order received.
What is most concerning regarding false negatives?
They represent legitimate security incidents that do not generate an alert.
What term describes evidence handling from collection through presentation in court?
Chain of custody
Which utility can be used to extract data from binary files and can display the contents in hexadecimal, decimal, octal, or ASCII formats
hexdump
Which tool can be used to identify interactions between processes and the Linux kernel?
strace
________________________ is a popular command line utility used to analyze memory dumps.
volatility
Which command line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics?
vmstat
The cyclical process of identifying, assessing, analyzing, and responding to risks.
Risk management
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
enterprise risk management (ERM)
A comprehensive set of standards for enterprise risk management.
Risk Management Framework (RMF) or ISO 31000
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Risk
In risk calculation, the chance of a threat being realized, expressed as a percentage.
Likelihood
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
Impact
The amount that would be lost in a single occurrence of a particular risk factor.
Single Loss Expectancy (SLE)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
Annual Loss Expectancy (ALE)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
Annual Rate of Occurrence (ARO)
The value of an asset, such as a server or even an entire building.
Asset Value (AV)
In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.
Exposure Factor (EF)
Associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan.
Total Cost of Ownership (TCO)
A metric to calculate whether an asset is worth the cost of deploying and maintaining it.
Return on Investment (ROI)
Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
Mean Time To Recovery (MTTR)
Metric for a device or component that predicts the expected time between failures.
Mean Time Between Failures (MTBF)
An analysis that measures the difference between current state and desired state in order to help assess the scope of work included in a project.
Gap Analysis
In risk mitigation, the practice of ceasing activity that presents risk.
Risk avoidance
The response of determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.
Risk acceptance
The response of reducing risk to fit within an organization’s risk appetite.
Risk mitigation
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
Risk transference
A specific path by which a threat actor gains unauthorized access to a system.
attack vectors
Risk that remains even after controls are put into place.
residual risk
A strategic assessment of what level of residual risk is tolerable for an organization.
Risk appetite
A formal mechanism designed to measure performance of a program against desired goals.
Key Performance Indicators (KPI)
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
Key Risk Indicators (KRI)
Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
Scalability
The fundamental security goal of ensuring that an information processing system is trustworthy.
Reliability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Availability
Determines the thresholds that separate different levels of risk.
Risk tolerance
Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
Tradeoff analysis
Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Separation of duties
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.
Job rotation
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
Mandatory vacation
Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Least privilege
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.
Cloud Service Provider (CSP)
Identifies that responsibility for the implementation of security as applications, data and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP.)
Shared responsibility model
Cloud service model that provisions fully developed application services to users.
Software as a Service (SaaS)
Cloud service model that provisions application and database services as a platform for development of apps.
Platform as a Service (PaaS)
Cloud service model that provisions virtual machines and network infrastructure.
Infrastructure as a Service (IaaS)
A customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
Vendor Lock-in
A vendor’s product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist.
Vendor Lockout
A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis.
Vendor Viability
A copy of vendor-developed source code provided to a trusted third party in the event the vendor ceases business.
Source Code Escrow
Verifying the type and level of support to be provided by the vendor in support of their product or service.
Support Availability
Formally defining what functionality is required of a product or service, and taking steps to verify that a vendor’s service or product provides at least this level of functionality.
Meeting Client Requirements
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
supply chain
The capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization’s operations or finished products.
Supply Chain Visibility (SCV)
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
Cloud Security Alliance (CSA)
A framework of security best practices for Cloud service providers that is developed and maintained by the Cloud Security Alliance (CSA).
Security Trust and Risk (STAR)
Use of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations.
System and Organization Controls (SOC)
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).
International Organization for Standardization (ISO)
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities.
Cybersecurity Maturity Model Certification (CMMC)
A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
virtual local area networks (VLAN)
Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
Protected Health Information (PHI)
Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
Personal Identifiable Financial Information (PIFI)
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.
Intellectual property (IP)
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
data owner
The process of applying confidentiality and privacy labels to information.
Data classification
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
Data retention
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
Data sovereignty
An individual that is identified by privacy data.
data subject
A set of policies, contracts and standards identified as essential in the agreement between two parties.
attestation of compliance (AOC)
A process executed in four distinct phases: initiation and planning, certification, accreditation, and continuous monitoring.
Certification and accreditation (C&A)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
Information System Security Officer(ISSO)
The entity responsible for reviewing the results of a certification and accreditation package, including audits reports, and making the final decision regarding accreditation status.
Certifying Authority
A formal letter of accreditation provided to the system owner granting them permission to operate a system.
Authority to Operate(ATO)
A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system (TOS).
Common Criteria (CC)
Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.
Due care
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
due diligence
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
legal hold
Procedures and tools to collect, preserve, and analyze digital evidence.
e-Discovery
Predetermined alternate location where a network can be rebuilt after a disaster.
cold site
Alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
warm site
Fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
hot site
An analysis of events that can provide insight into how to improve response processes in the future.
after action report (AAR)
Software or hardware device that protects a system or network by blocking unwanted network traffic.
Firewalls
An intermediate system working at the Network layer capable of forwarding packets around logical networks of different layer 1 and layer 2 types.
Routers
Type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
load balancer
A private network segment made available to a single cloud consumer on a public cloud.
Virtual Private Cloud (VPC)
A public IPv4 address that can be assigned to any instance or network interface in a VPC within an AWS account.
elastic IP address
Using persuasion, manipulation, or intimidation to make the victim violate a security policy. The goal of social engineering might be to gain access to an account, gain access to physical premises, or gather information.
social engineering
A preconfigured, self-contained virtual machine image ready to be deployed and run on a hypervisor.
virtual appliance
A special type of DNS record used to identify the email servers used by a domain.
MX records
Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
Distributed Denial of Service
An approach that protects the attack from consuming all available bandwidth and impacting other servers and services on the network. It reduces the amount of throughput available to the server or service being attacked.
Rate Limiting
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
Web Application Firewall (WAF)
Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic.
Blackhole Routing
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.
Cloud Service Providers
Reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. DDoS mitigation can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection.
DDoS Mitigation Software/Appliance
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
unified threat management (UTM)
A security measure performed on email and internet traffic to identify suspicious, malicious and/or inappropriate content in accordance with an organization’s policies.
Content Filtering
A protocol specifying Internet mail message formats and attachments.
MIME (Multi-Purpose Internet Mail Extensions)
Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
Data Loss Prevention (DLP)
Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.
SPAM
Identifies known bad senders. Security companies typically provide this as a service to organizations to reduce SPAM messages.
SPAM Block Lists (SBL)
Inspecting traffic to locate and block viruses.
Antivirus
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
caching engines
A server that redirects requests and responses for clients configured with the proxy address and port.
non-transparent proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
transparent proxy
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
SQL injection
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
cross-site scripting (XSS)
A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.
cross-site request forgery (XSRF)
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
file inclusion
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
directory traversal
An open source Web Application Firewall (WAF) for Apache, nginx, and IIS.
ModSecurity
A special cloud-based service that is used to centralize the functions provided by APIs.
API gateway
A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.
eXtensible Markup Language (XML)
Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.
DNS Poisoning
Amount of time that the record returned by a DNS query should be cached before discarding it.
time to live (TTL)
A security protocol that provides authentication of DNS data and upholds DNS data integrity.
Domain Name System Security Extensions (DNSSEC)
All resource records for a domain that have the same type.
Resource Record Set (RRset)
Used to sign the RRset of a zone in order for it to be verified as trustworthy by receiving systems.
Zone Signing Key
Used to sign the special DNSKEY record which contains the (public) Zone Signing Key.
Key Signing Key
Secure tunnel created between two endpoints connected via an unsecure transport network (typically the Internet).
Virtual Private Network (VPN)
General term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
Network Access Control (NAC)
Security appliance or software that uses passive hardware sensors to monitor traffic on a specific segment of the network.
Network intrusion detection system (NIDS)
A server running intrusion detection software that analyzes network traffic for signs of suspicious activity.
NIDS Server
A device that captures network traffic within a specific segment of a network and forwards it to the NIDS Server for analysis.
NIDS Sensors
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
switched port analyzer (SPAN)
Hardware device inserted into a cable to copy frames for analysis.
test access port (TAP)
A type of NIDS that scans the radio frequency spectrum for possible threats to the wireless network, primarily rogue access points.
wireless intrusion detection system (WIDS)
Wireless access point that has been enabled on the network without authorization.
rogue access points
Wireless access point that deceives users into believing that it is a legitimate network access point.
evil twins
Type of wireless network where connected devices communicate directly with each other instead of over an established medium.
Ad hoc networks
Attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
On-path
An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
network intrusion prevention system (NIPS)
An active, inline security device that monitors suspicious network and/or system traffic on a wireless network and reacts in real time to block it.
wireless intrusion prevention system
A type of software that reviews system files to ensure that they have not been tampered with.
File Integrity Monitoring (FIM)
Application protocol used for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.
Simple Network Management Protocol (SNMP)
Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
NetFlow
Web standard for using sampling to record network traffic statistics.
sFlow
A cloud service provider data center.
availability zones
Distributing and replicating the components of any service (such as web apps, media and storage) across all the key service areas needing access to the content.
Content Delivery Network (CDN)
Caching is a technique used for maintaining consistent performance during file access and data processing. It generally works where components are mismatched in terms of the speed at which they can operate. Caching allows a slow component to store data it cannot process at that moment (a disk drive storing up write instructions for instance) or a fast component to pre-fetch data that it might need soon (a CPU storing instructions from system memory for reuse for example).
Caching
The process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.
Virtualization
A guest operating system installed on a host computer using virtualization software (a hypervisor), such as Microsoft Hyper-V or VMware.
virtual machines (VM)
In software development, a user acceptance testing environment that is a copy of the production environment.
Staging
Policies, procedures, and tools designed to ensure defect-free development and delivery.
Quality Assurance (QA)
An IT environment available to consumer for normal, day-to-day use.
Production
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.
Sandboxing
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
Directory services
Service that maps fully qualified domain name labels to IP addresses on most TCP/IP networks, including the Internet.
Domain Name System (DNS)
A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.
Service-oriented architecture (SOA)
A common component of SOA architecture that facilitates decoupled service-to-service communication.
enterprise service bus (ESB)
The processes of planning, analysis, design, implementation, and maintenance that often govern software and systems development.
software development life cycle (SDLC)
The process of testing an application after changes are made to see if these changes have triggered problems in older areas of code.
regression test
The developer writes a simple “pass/no pass” test for code. This ensures that a particular block of code performs the exact action intended, and provides the exact output expected.
unit test
Individual components of a system are tested together to ensure that they interact as expected.
integration test
A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
waterfall model
A software development method that combines several approaches, such as incremental and waterfall, into a single hybrid method that is modified repeatedly in response to stakeholder feedback and input.
spiral method
A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.
Agile model
The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.
version control
Software development method in which code updates are tested and committed to a development or build server/code repository rapidly.
Continuous Integration (CI)
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
security orchestration automation and response (SOAR)
A charity and community publishing a number of secure application development resources.
Open Web Application Security Project (OWASP)
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
account policies
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
Privileged Access Management (PAM)
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
Federation
An identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service.
OpenID
An XML-based data format used to exchange authentication information between a client and a service.
Security Assertion Markup Language (SAML)
An XML-based web services protocol that is used to exchange messages.
Simple Object Access Protocol (SOAP)
An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
Shibboleth
In PKI, a description of how users and different CAs exchange information and certificates.
trust model
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
Discretionary Access Control (DAC)
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Mandatory Access Control (MAC)
Access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
Role-Based Access Control (RBAC)
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
Attribute-Based Access Control (ABAC)
A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Rule-Based Access Control
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
single sign-on (SSO)
AAA protocol used to manage remote and wireless authentication infrastructures.
Remote Authentication Dial-In User Service (RADIUS)
AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.
Terminal Access Controller Access Control System Plus (TACACS+)
Network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
Lightweight Directory Access Protocol (LDAP)
A method of implementing LDAP using SSL/TLS encryption.
Secure LDAP (LDAPS)
Single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.
Kerberos
Component of Kerberos that authenticates users and issues tickets (tokens).
Key Distribution Center (KDC)
Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
Open Authorization (OAuth)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication, and establish secure tunnels through which to submit credentials.
Extensible Authentication Protocol (EAP)
Standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.
IEEE 802.1X
In EAP architecture, the device requesting access to the network.
Supplicant
A PNAC switch or router that activates EAPoL and passes a supplicant’s authentication data to an authenticating server, such as a RADIUS server.
authenticators
Authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.
multifactor authentication (MFA)
A common form of multi-factor authentication (MFA) that uses two authentication factors, such as something you know and something you have, also known as 2-step authentication.
Two-Factor Authentication (2FA)
Use of a communication channel that is different than the one currently being used.
out-of-band mechanisms
Use of a communication channel that is the same as the one currently being used.
In-band authentication
A server that is not integrated into a Microsoft Active Directory Domain.
standalone server
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
HMAC-Based One-Time Password (HOTP)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
Time-Based One-Time Password (TOTP)
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
hardware root of trust (RoT)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
trusted platform module (TPM)
A standardized, stateless architectural style used by web applications for communication and integration.
representation state transfer (REST)
A compact and self-contained method for securely transmitting messages.
JSON Web Token
Proving the integrity and authenticity of a message by combining its hash with a shared secret.
Message Authentication Code (MAC)
Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.
RAID
An operating system virtualization deployment containing everything required to run a service, application, or microservice.
containers
Features and capabilities of a server without needing to perform server administration tasks. Serverless computing offloads infrastructure management to the cloud service provider - for example, configuring file storage capability without the requirement of first building and deploying a file server.
serverless computing
A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.
microservices
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
cloud deployment model
A cloud that is deployed for shared use by multiple independent tenants.
Public cloud (or multi-tenant)
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.
cloud service providers (CSPs)
A cloud deployment model where the cloud consumer uses mutiple public cloud services.
Multi-cloud
A cloud that is deployed for use by a single entity.
Private cloud
A method of computing that involves realtime communication over large distributed networks to provide the resources, software, data, and media needs of a user, business, or organization.
cloud computing
A cloud that is deployed for shared use by cooperating tenants.
Community cloud
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
Blockchain
A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions.
Machine learning (ML)
Using AI to identify vulnerabilities and attack vectors to circumvent security systems.
adversarial AI
A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions.
deep learning
The use of artificial intelligence and machine learning to generate a highly-realistic video of a person. A fake video rendered using deep learning.
deep fakes
A form of authentication that does not require the use of knowledge based information, such as a password, in order to prove identity.
passwordless authentication
Method that allows computation of certain fields in a dataset without decrypting it.
Homomorphic encryption
Calculations performed by more than one system whereby the function used to perform the calculations is only known by a single party.
Secure Multi-Party Computation (MPC/SMPC)
A firmware update delivered on a cellular data connection.
over the air (OTA)
Software that allows deletion of data and settings on a mobile device to be initiated from a remote server.
Remote wipe
A toggle found on mobile devices enabling the user to disable and enable wireless functionality quickly.
airplane mode
Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.
Simultaneous Authentication of Equals (SAE)
A high performance mode of operation for symmetric encryption. Provides a special characteristic called authenticated encryption with associated data, or AEAD.
AES Galois Counter Mode Protocol (GCMP)
A standard for peer-to-peer (2-way) radio communications over very short (around 4”) distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
Near Field Communication (NFC)
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).
hotspot
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).
tethering
Security control that can enforce a virtual boundary based on real-world geography.
Geofencing
Adding geographical information to files, such as latitude and longitude coordinates as well as date and time.
Geotagging
Methods of provisioning mobile devices to users, such as BYOD and CYOD.
deployment model
Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.
Bring your own device (BYOD)
Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.
Corporate owned, business only (COBO)
Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.
Corporate owned, personally enabled (COPE)
Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.
Choose your own device (CYOD)
Installing an app to a mobile device without using an app store.
sideloading
A type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
Containerization
Process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.
hardening
The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.
Execution control
Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.
SEAndroid
A firmware interface that initializes hardware for an operating system boot.
Basic Input/Output System (BIOS)
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.
Unified Extensible Firmware Interface (UEFI)
A UEFI feature that prevents unwanted processes from executing during the boot operation.
Secure boot
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.
measured boot
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
hardware security module (HSM)
A software application running on a single host and designed to protect only that host.
Host-based firewall
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state.
Host-based intrusion detection systems (HIDS)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
endpoint detection and response (EDR)
Storing data across different storage locations (such as multiple data centers) to improve durability and availability
Data dispersion
Splitting encrypted data into parts which are then stored in different storage locations and further encrypted at the storage location.
bit splitting
Splitting encrypted data into parts which are then stored in different storage locations and further encrypted at the storage location.
cryptographic splitting
A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.
serverless
Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
Infrastructure as Code (IaC)
Enterprise management software designed to mediate access to cloud services by users across all types of devices.
cloud access security broker (CASB)
Devices that can report state and configuration data and be remotely managed over IP networks.
Internet of Things (IoT)
Type of processor designed to perform a specific function, such as switching.
application-specific integrated circuits (ASICs)
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.
field programmable gate array (FPGA)
Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
Industrial control systems (ICSs)
Input and output controls on a PLC to allow a user to configure and monitor the system.
human-machine interfaces (HMIs)
Software that aggregates and catalogs data from multiple sources within an industrial control system.
data historian
Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.
supervisory control and data acquisition (SCADA)
Control systems that maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.
HVAC (Heating, Ventilation, Air Conditioning)
A serial network designed to allow communications between embedded programmable logic controllers.
CAN bus (controller area network)
Communications network designed to implement an industrial control system rather than data networking.
operational technology (OT)
A communications protocol used in operational technology networks.
Modbus
A specialized communication protocol used by industrial control systems to acheive automation.
Common Industrial Protocol (CIP)
Associated with industrial controls used in water and electric utilities, DNP3 allows ICS components to communicate with each other.
Distributed Network Protocol (DNP3)
Function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
hashing
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
collisions
A cryptographic hash function producing a 128-bit output.
Message Digest Algorithm (MD5)
A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.
Secure Hash Algorithm (SHA)
A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.
hash-based message authentication code (HMAC)
A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.
stream cipher
A technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.
initialization vector (IV)
A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.
block cipher
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
private keys
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
public key
A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.
digital signature
An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.
Secure/Multipurpose Internet Mail Extensions (S/ MIME)
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
application programming interface (API)
An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.
EAP Transport Layer Security (EAP-TLS)
EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.
Protected Extensible Authentication Protocol (PEAP)
An EAP method that enables a client and server to establish a secure connection without mandating a clientside certificate.
EAP Tunneled Transport Layer Security (EAP-TTLS)
An EAP method that is expected to address the shortcomings of LEAP.
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.
Internet Protocol Security (IPSec)
IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
Authentication Header (AH)
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.
Encapsulating Security Payload (ESP)
A cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
Elliptic curve cryptography (ECC)
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against bruteforce attacks.
Key stretching
Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Public key infrastructure (PKI)
Information that is primarily stored on specific media, rather than moving from one medium to another.
Data at rest
Information that is being transmitted between two hosts, such as over a private network or the Internet.
Data in transit
The use of a specialized card containing cryptographic information to achieve authentication.
Smart card authentication
A server that guarantees subject identities by issuing signed digital certifcate wrappers for their public keys.
certificate authority (CA)
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
certificate chaining
A Base64 ASCII file that a subject sends to a CA to get a certificate.
certificate signing request (CSR)
Field in a digital certificate allowing a host to be identifed by multiple host names/subdomains.
Subject Alternative Name (SAN)
A single SSL certificate that can be used to secure multiple, different domain names.
multi-domain certificates
The method of using a digital signature to ensure the source and integrity of programming code.
code signing
A list of certificates that were revoked before their expiration date.
certificate revocation list (CRL)
Allows clients to request the status of a digital certificate, to check whether it is revoked.
Online Certificate Status Protocol (OCSP)
A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
Pinning
Allows a webserver to perform certificate status checking instead of the browser. The webserver checks the status of a certificate and provides the browser with the digitally signed response from the OCSP responder.
Certificate stapling
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
script kiddie
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
insider threat
A type of threat actor that uses hacking and computer fraud for commercial gain.
organized crime
A threat actor that is motivated by a social issue or political cause.
Hacktivists
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Advanced Persistent Threat (APT)
A type of threat actor that is supported by the resources of its host country’s military and security services.
State actors
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
Common Vulnerability Scoring System (CVSS)
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
Buffer overflow
A technique that randomizes where components in a running application are placed in memory to protect against buffer overflows.
Address Space Layout Randomization (ASLR)
A form of malware protection designed to block applications (malware) that attempt to run from protected memory locations.
Data Execution Protection (DEP)
The process of reviewing uncompiled source code either manually or using automated tools.
Static code analysis
Exploit technique that runs malicious code with the ID of a legitimate process.
code injection
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
remote code execution (RCE)
An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input.
LDAP injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
Command injection
Exploiting a misconfiguration to direct traffic to a different VLAN without authorization.
VLAN hopping
Group of network prefixes under the administrative control of a single organization used to establish routing boundaries.
autonomous systems (AS)
Analysis of the headers and payload data of one or more frames in captured network traffic.
Packet analysis
Analysis of per-protocol utilization statistics in a packet capture or network traffic sampling.
Protocol analysis
Command-line packet sniffing utility.
tcpdump command
Widely used protocol analyzer.
Wireshark
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamper-proof.
logs
A widget showing records or metrics in a visual format, such as a graph or table.
Visualization
Standards-based version of the Netflow framework.
IP Flow Information Export (IPFIX)
A sign that an asset or network has been attacked or is currently under attack.
indicator of compromise (IOC)
Solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
Security information and event management (SIEM)
In security scanning, a case that is reported when it should not be.
false positive
In security scanning, a case that is not reported when it should be.
False negatives
In security scanning, a case that is reported when it should be.
True positive
In security scanning, a case that is not reported when it should not be.
true negative
Specific procedures that must be performed if a certain type of event is detected or reported.
Incident response plans (IRP)
The record of evidence history from collection, to presentation in court, to disposal.
chain of custody
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
Data acquisition
A highly adaptable, open-source network scanner used primarily to scan hosts and ports to locate services and detect vulnerabilites.
Nmap
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
deauthentication attack
An attack against Windows systems designed to replace the important DLL’s needed by software applications with malicious alternatives.
DLL hijacking
VM Escape
This VM exploit gives an attacker access to the underlying host operating systems and thereby access to all other VMs running on that host machine.
